Dependency Audit
Audit, update, and manage dependencies safely.
npm / Node.js
Audit
bash
# Run security audit npm audit npm audit --json # Machine-readable npm audit --production # Production deps only # Fix automatically npm audit fix npm audit fix --force # Allow major version bumps # Check specific advisory npm audit --advisory=1234
Check Outdated
bash
# List outdated packages npm outdated # Output: # Package Current Wanted Latest Location # express 4.17.1 4.17.3 5.0.0 my-app # lodash 4.17.20 4.17.21 4.17.21 my-app # Wanted = highest version matching semver range in package.json # Latest = latest version published
Update Strategies
bash
# Update within semver range (safe) npm update # Update specific package npm update express # Update to latest (may break) npm install express@latest # Interactive update tool npx npm-check-updates # List all updates npx npm-check-updates -u # Update package.json npm install # Install updated # Update with target npx npm-check-updates --target minor # Only minor+patch npx npm-check-updates --target patch # Only patch
Lock File
bash
# Regenerate lock file rm package-lock.json && npm install # Check lock file integrity npm ci # Clean install from lock file (CI) # Deduplicate npm dedupe
Python / pip
Audit
bash
# pip-audit (recommended) pip install pip-audit pip-audit pip-audit -r requirements.txt pip-audit --fix # Auto-fix vulnerabilities pip-audit --json # Machine-readable # Safety (alternative) pip install safety safety check safety check -r requirements.txt
Check Outdated
bash
# List outdated packages pip list --outdated pip list --outdated --format=json # Check specific package pip show package-name
Update Strategies
bash
# Update single package
pip install --upgrade requests
# Update all packages (careful!)
pip list --outdated --format=json | python -c "
import json, sys
for pkg in json.load(sys.stdin):
print(pkg['name'])" | xargs -n1 pip install --upgrade
# Pin versions after updating
pip freeze > requirements.txt
pip-tools (Recommended)
bash
pip install pip-tools # Define requirements.in (unpinned) # requirements.in: # flask # sqlalchemy>=2.0 # Compile to pinned requirements.txt pip-compile requirements.in # Update all pip-compile --upgrade requirements.in # Update specific package pip-compile --upgrade-package flask requirements.in # Sync environment to match pip-sync requirements.txt
Yarn
bash
# Audit yarn audit yarn audit --level moderate # Only moderate+ # Outdated yarn outdated # Update yarn upgrade # Within ranges yarn upgrade --latest # To latest versions yarn upgrade-interactive # Interactive picker # Dedupe yarn dedupe
pnpm
bash
# Audit pnpm audit pnpm audit --fix # Outdated pnpm outdated # Update pnpm update pnpm update --latest pnpm update --interactive
Renovate / Dependabot
Dependabot (GitHub)
yaml
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
reviewers:
- "team-name"
labels:
- "dependencies"
groups:
dev-deps:
patterns:
- "*"
dependency-type: "development"
prod-deps:
patterns:
- "*"
dependency-type: "production"
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
Renovate
json
// renovate.json
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"],
"schedule": ["before 6am on Monday"],
"automerge": true,
"automergeType": "pr",
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"automerge": true
},
{
"matchUpdateTypes": ["major"],
"automerge": false,
"labels": ["breaking"]
}
]
}
Update Workflow
code
1. Check what's outdated npm outdated / pip list --outdated 2. Run audit for vulnerabilities npm audit / pip-audit 3. Update patch versions first (safest) npx ncu --target patch -u && npm install 4. Run tests npm test / pytest 5. Update minor versions npx ncu --target minor -u && npm install && npm test 6. Update major versions one at a time npm install package@latest && npm test Read migration guides for major bumps 7. Commit and push git add package.json package-lock.json git commit -m "chore: update dependencies"
License Checking
bash
# npm npx license-checker --summary npx license-checker --onlyAllow "MIT;ISC;BSD-3-Clause;Apache-2.0" # Python pip install pip-licenses pip-licenses --summary pip-licenses --allow-only "MIT;BSD;Apache-2.0"
Reference
For CI integration and automation: references/automation.md